Excessive employee permissions expose SMES to insider threats

Varonis Systems, Inc., a provider of software solutions that protect data from insider threats and cyberattacks, reveals the results from the Varonis Data Risk Report, showcasing an alarming level of exposure for corporate and sensitive files across organisations, including an average of 20 per cent of folders per organisation open to every employee.

Using the Varonis Data Security Platform (DSP), Varonis conducted over a thousand risk assessments for customers and potential customers on a subset of their file systems. The assessment provides insight into the risks associated with corporate data, identifies where sensitive and regulatory data resides, reveals over-exposed and high risk areas, and makes recommendations to increase their data security posture.

Additional key findings

236.5 million folders containing 2.8 billion files, comprising 3.79 petabytes of data were analysed. Of that figure, 48,054,198 folders were open to ‘global access groups,’ or groups that grant access to the entire organisation.

Nearly half (47 per cent) of organisations had at least 1,000 sensitive files open to every employee; 22 per cent had 12,000 or more sensitive files exposed to every employee.

Three quarters (71 per cent) of all folders contained stale data, accounting for almost two petabytes of data.

24.4 million folders had unique permissions, increasing complexity and making it more difficult to enforce a least privilege model and comply with regulations like General Data Protection Regulation (GDPR).

Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organisation to data breaches, insider threats and crippling ransomware attacks.

A recent Ponemon study finds that 62 per cent of end users say they have access to company data they probably should not see, and a Forrester Consulting study shows that 59 per cent don’t enforce a need-to-know permissions model for sensitive files.

Individual company risks

A third (35 per cent) of an insurance firm’s 86.4 million folders were open to every employee.

Four out of five (80 per cent) of a banking institution’s 245,575 sensitive files were accessible to every employee.

Another banking institution had 11.6 million folders with unique permissions, complicating its efforts to reduce file access on a need-to-know basis.

‘In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organisations focus on outer defences and chasing threats, the data itself is left broadly accessible and unmonitored,’ says Ken Spinner, vice president of field engineering at Varonis.

‘Organisations participate in our risk assessments because they understand the value of their data and the risk it poses for being stolen or abused. We applaud their efforts in taking the first step towards mitigating risk.’

‘We found files with sensitive PII in places it should not have been,’ adds a chief security officer for a state and local government in a recent TechValidate customer survey.

According to that same survey, 68 per cent of end users perform a risk assessment to validate security concerns, 95 per cent agree that the risk assessment helped them identify at-risk, sensitive and classified data and build a plan of attack to reduce the likelihood of a data breach from insider threats, and 82 per cent rate global access remediation a top priority after seeing the results.

‘The initial assessment gets the immediate attention of management, which then assists in building and executing the internal remediation process,’ says a security manager at a beverage company in the same TechValidate customer survey.

The Varonis Data Risk Report showcases the findings from a random sampling of 80 risk assessments conducted for customers and potential customers between January to December of 2016 across 12 countries and 33 industries, and within organisations with 50 to more than 10,000 employees. All organisational identifiers have been removed.